Internet DRAFT - draft-nachum-smartap
draft-nachum-smartap
Network Working Group Youval Nachum
Internet Draft Net Optics, an Ixia Company
Intended status: Proposed Standard Linda Dunbar
Expires: July 2014 Huawei
January 23, 2014 Tal Mizrahi
Marvell
Network Smart Tapping (SmarTap)
draft-nachum-smartap-00.txt
Abstract
Tapping technologies provide traffic visibility to network
analysis tools such as monitors, traffic recorders and security
systems. Current tapping architectures and protocols are vendor
specific and adapted to legacy networks.
Emerging networking such as large scale datacenters for cloud
applications and Mobile backhaul networks demand accurate and fast
network traffic visibility. These networks are built on Layer 2
technologies and infrastructure to support virtual machines
mobility, growing number of devices including mobile users.
SmarTap architecture is designed to support emerging network
requirements allowing network analysis tools to gain full
visibility of network traffic. SmarTap technology monitors each
link and each component of the network. It captures packets,
classifies them and sends them to tools with relevant packet
attributes. SmarTap can provide attributes such as flow-ID,
tapping-location, tapping-time and statistics.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
Nachum, et al. Expires July 23, 2014 [Page 1]
�
Internet-Draft SmarTap January 2014
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 23, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Nachum, et al. Expires July 23, 2014 [Page 2]
�
Internet-Draft SmarTap January 2014
Table of Contents
1. Introduction ................................................. 4
1.1. SmarTap Motivation ...................................... 4
1.2. Terms and Abbreviations Used in this Document ........... 4
1.3. Existing Network Tapping Architecture ................... 5
1.4. Network Analysis Tools Functionality .................... 7
1.5. Emerging Networks ....................................... 7
1.5.1. Emerging Networks characteristics .................. 8
1.6. Networks Visibility Requirements ........................ 8
2. SmarTap Description .......................................... 8
2.1. SmarTap Functionality ................................... 8
2.2. SmarTap Configuration ................................... 9
2.2.1. Tapping Location .................................. 10
2.2.2. Tapping Time stamping ............................. 10
2.2.3. Flow Digest ....................................... 11
2.2.4. Packet Format ..................................... 11
3. SmarTap Deployment Options .................................. 12
3.1. SmarTap with Network Analysis Tools .................... 13
3.2. SmarTap with Layer-3 Networks .......................... 14
4. Security Considerations ..................................... 14
5. IANA Considerations ......................................... 14
6. References .................................................. 14
6.1. Informative References ................................. 14
7. Acknowledgments ............................................. 14
Nachum, et al. Expires July 23, 2014 [Page 3]
�
Internet-Draft SmarTap January 2014
1. Introduction
Emerging networks such as large scale datacenters and Mobile
backhauls demand the use of network analysis tools to enable
stable and secure operation of the network. Network analysis tools
such as Application Aware Network Performance Monitoring [AA-NPM],
Intrusion Detection Systems (IDS) and Network Recorders (Such as
financial transactions and phone calls) require visibility to the
raw traffic, its tapping location and its exact tapping time.
Network visibility building blocks are network TAPs, SPAN ports
and Network Packet Brokers NPB). TAP refers to a device located at
the network which passes a copy of every packet to the monitoring
tools. SPAN port, Switched Port Analyzer, mirrors what comes into
the target port or out of the target port to the sniffer port for
monitoring purposes. NPB device aggregates the monitored traffic
from multiple ports to a single port or load balances the
monitored traffic to multiple tools.
SmarTap, introduced in this memo, defines a protocol and an
architecture that standardize the way network TAPs, SPAN ports and
NPBs interact with network analysis tools. SmarTap provides high
resolution network visibility by capturing raw packets with their
exact tapping-time, tapping-location and relevant statistics and
sends it to the tools in a standard form.
1.1. SmarTap Motivation
Network analysis tools require full and accurate visibility to the
traffic that traverses the network. SmarTap standardizes the way
tapping devices communicate with network analysis tools, specifies
the information required by the tools and defines its data
structure.
1.2. Terms and Abbreviations Used in this Document
AA-NPM: Application Aware Network Performance Monitoring
IDS: Intrusion Detection System
NPB: Network Packet Broker
VM: Virtual Machine
Nachum, et al. Expires July 23, 2014 [Page 4]
�
Internet-Draft SmarTap January 2014
1.3. Existing Network Tapping Architecture
Common network tapping architectures consists of network TAPs and
Network Packets Brokers (NPBs). All links that are subject to
tapping are connected to network TAPs in the following
manner. Figure 1 depicts a link between Router-1 and Router-2 that
is subject to tapping. The network TAP is connected between
router-1 and Router-2 as described by Figure 1.
*--------------* *-----* *--------------*
| Router-1 |-----| TAP |-----| router-2 |
*--------------* *-----* *--------------*
|
|
|
*--------*
| AA-NPM |
*--------*
Figure 1 Tapping Device
The network TAP is transparent to Router-1 and Router-2 in all
layers. It relays all packets from Router-1 to Router-2 and vice
versa without any packet modification.
The network TAP also supports network high availability. In case
of TAP failure, the network TAP can be bypassed and router-1 is
directly connected with router-2. In case of link failure at
Router-1 or Router-2 the network TAP mimics the failure to the
other router to enable network fast reroute.
The network TAP is also connected to the network analysis tools,
for example Application Aware Network Performance Monitoring tool
(AA-NPM) as described by Figure 1. The network TAP can either
redirect the packets to the network analysis tools or just
duplicate it, i.e. forward the original packet to the next router
and transmit the copied packet to the tool.
Nachum, et al. Expires July 23, 2014 [Page 5]
�
Internet-Draft SmarTap January 2014
*--------------* *-----* *--------------*
| Router-1 |-----| TAP |-----| router-2 |
*--------------* *-----* *--------------*
|
|
|
*--------*
| NPB |
*--------*
| |
| |
| |
*---------* *---------*
| AA-NPM-1| | AA-NPM-2|
*---------* *---------*
Figure 2 Tapping Device with NPB (regeneration).
Networks that monitor the traffic by multiple tools or monitor
multiple links use Network Packet Brokers to aggregate or
REF _Ref367009627 \r \h \* MERGEFORMAT Figure 2 depicts an NPB
duplicates all received packets from the network TAP to AA-NPM-1
and AA-NPM-2. Figure 3 depicts an NPB that aggregates traffic,
i.e., sends all received packets from TAP-1 and TAP-2 to the AA-
NPM.
*-----* *-----*
|TAP-1| |TAP-2|
*-----* *-----*
| |
| |
| |
*---------*
| NPB |
*---------*
|
|
|
*--------*
| AA-NPM |
*--------*
Figure 3 Tapping Device with NPB (aggregation).
Nachum, et al. Expires July 23, 2014 [Page 6]
�
Internet-Draft SmarTap January 2014
1.4. Network Analysis Tools Functionality
Network analysis tools analyze tapped packets according to the
packet fields and accompanied data such as:
- Tapping location
- Tapping time
- Packet transmitter and receiver location
- Packet next hop and previous hop
- Flow-ID
- Packet statistics
Network analysis tools in legacy networks deduce the tapping
location of the packet from the received port. In networks where
the TAP is directly connected to the tool, or using an NPB with a
packet redirection, the received port at the tool indicates the
tapping location. Networks using an aggregation NPB mark the
tapped packet at the NPB with a vendor specific indication to
indicate the received port.
Network analysis Tools at Layer 3 networks deduce the next and
previous hop of the tapped packets from the packet source and
destination MAC addresses. The packet source MAC address refers to
the previous hop router and the packet destination MAC address
refers to the next hop router.
At Layer 3 networks the source and destination IP addresses of the
tapped packet refer to the source and destination location of the
packet transmitter and receiver.
Network analysis tools in legacy networks refer to the tapping
time of the tapped packet as the time that the packet is analyzed
by the tool or received by the NPB.
1.5. Emerging Networks
SmarTap is designed to support emerging networks such as cloud
computing, mobile Backhaul, large scale datacenters and finance
computing. It also has huge advantages at the legacy Layer 3
networks.
Nachum, et al. Expires July 23, 2014 [Page 7]
�
Internet-Draft SmarTap January 2014
1.5.1. Emerging Networks characteristics
Emerging networks such as mobile backhauls and large scale
datacenters support mobile entities like virtual machines and
cellular devices. Mobile entities move through the network while
their connections remain stable at all networking layers.
Emerging network traffic is mostly Layer 2 based to allow
efficient mobility while timing and performance become more
critical and accurate.
1.6. Networks Visibility Requirements
Some of the characteristic of emerging networks conflict with the
behavior of network TAPs, as presented above. Network analysis
tools require full and accurate visibility to the tapped packet
location, time and data.
In Layer 2 based network, IP addresses are not location oriented
and MAC addresses remain unchanged throughout the packet route.
Therefore, the location of the sender and the receiver of the
tapped packet cannot be deduced from the IP addresses of the
tapped packet, while last hop and next hop cannot be deduced from
the tapped packet MAC addresses.
Analysis tools require the exact tapping time of the tapped
packets. If the tapping time is measured by the NPB, the time at
which a tapped packet is received by the tool or by the NPB
includes network propagation delay and is thus not accurate
enough.
Emerging networks provide tremendous rate of traffic to analyze in
comparison to the processing resources of typical tools. The
common way to overcome this gap is by using an NPB to load balance
traffic between multiple tools. Emerging networks require
additional actions to overcome the increasing gap.
2. SmarTap Description
2.1. SmarTap Functionality
SmarTap provides additional functionality beyond existing TAP
technologies. It taps packets with their relevant metadata and
sends it to the tools. Packet metadata includes: Timestamp,
Location, related statistics and packet digest. The SmarTap device
Nachum, et al. Expires July 23, 2014 [Page 8]
�
Internet-Draft SmarTap January 2014
is typically connected to a remote tool, and can send the tapped
packets with their metadata encapsulated within a tunnel.
SmarTap supports multiple options to mitigate traffic load over
the tools. It can truncate tapped packets to a preconfigured size
(e.g., 64 or 128 bytes). Tapped packets can be sent to the tools
statistically with a preconfigured ratio or rate. Traffic can be
monitor by the TAP and sent to the tools conditionally. For
example, SmarTap can filter the packets that are sent to the tools
according to predefined filters or rate limits.
2.2. SmarTap Configuration
SmarTap is a tapping element that is connected to the target
tapped link in the same manner as a TAP. Figure 4 depicts a target
link between Switch-1 and Switch-2 that needs to be monitored.
The SmarTap is connected to Switch-1 and Switch-2 and is
functioning as a regular TAP i.e. the SmarTap is transparent to
Switch-1 and Switch-2 and has all TAP capabilities. Moreover, the
SmarTap taps packets from Switch-1 to Switch-2 (and vice versa)
and sends them to a preconfigured target port with the packets'
metadata. The target port can be any port at the SmarTap. Figure 4
"Switch-3". In configuration A the tools or the NPB can be
connected to any network element, switch or router, and receive
all the tapped packets with their metadata by tunnels. Figure 5
depicts a SmarTap that is directly connected to the tool and sends
the tapped packets with their metadata directly to the tool
without the need to encapsulate them over tunnels.
*--------------* *---------* *--------------*
| Switch-1 |-----| SmarTap |-----| Switch-2 |
*--------------* *---------* *--------------*
|
|
|
*--------------*
| Switch-3 |
*--------------*
Figure 4 SmarTap Device Configuration A.
Nachum, et al. Expires July 23, 2014 [Page 9]
�
Internet-Draft SmarTap January 2014
*--------------* *---------* *--------------*
| Switch-1 |-----| SmarTap |-----| Switch-2 |
*--------------* *---------* *--------------*
|
|
|
*--------------*
| AA-NPM |
*--------------*
Figure 5 SmarTap Device Configuration B.
2.2.1. Tapping Location
One of the tapped packet attributes is its tapping location, which
indicates the link the packet was tapped from. In a simple
scenario where the SmarTap is connected directly to the tool, the
tapping location can be deduced from the received port. Otherwise,
the tapping location, if needed, should be inserted to the tapped
packet Metadata. There are a few options to describe tapping
location:
. Global Grid references
. Tap-ID
. Link-ID
. Received tunnel
2.2.2. Tapping Time stamping
There are several options for sending tapped packets with time
stamping:
. A tapped packet may be sent to the tools with the tapping
time at the packet's metadata.
. A packet may be sent with no packet modification (as it was
received on the link).
Nachum, et al. Expires July 23, 2014 [Page 10]
�
Internet-Draft SmarTap January 2014
. Timestamp may be global or local to the network. Time
synchronization and accuracy are determined by the tools.
2.2.3. Flow Digest
Tapped packets are sent to the tool with a preconfigured statistic
information embedded within the packet metadata, for example
packet rate. The configuration of which packets to tap and what is
the required statistic information is configured by the monitoring
tool. Packet statistics is standard compatible for example sFlow,
Netflow or RMON and is collected and provided by the tapping
device.
2.2.4. Packet Format
Packet format includes the tapped packet and its metadata. A
tapped packet may be transmitted to the tool without any packet
modification in the same way as it was transmitted on the tapped
link. A packet can be also truncated to a predefined size, 64B,
128B.
Optionally, a metadata field is added to the packet. Metadata is
in TLV format: Type, Length, and Value.
The tunneling protocol used for tapped packets is IP GRE.
Figure 6 and Figure 7 describe the tapped packet format and a
tapped packet example. The packets start from left to right.
Nachum, et al. Expires July 23, 2014 [Page 11]
�
Internet-Draft SmarTap January 2014
*-------------------*
| Tapped packet |
*-------------------*
*-------*-------------------*
| TLV-1 | Tapped packet |
*-------*-------------------*
*-------*-------*-------------------*
| TLV-2 | TLV-1 | Tapped packet |
*-------*-------*-------------------*
*-------*-------*-------*-------------------*
| TLV-3 | TLV-2 | TLV-1 | Tapped packet |
*-------*-------*-------*-------------------*
*-------*-------*-------*-------*-------------------*
| GRE | TLV-3 | TLV-2 | TLV-1 | Tapped packet |
*-------*-------*-------*-------*-------------------*
Figure 6 Packet Format.
*-----*----------*---------*------------*---------------*
| GRE | Location | Flow-ID | Timestamp | Tapped packet |
*-----*----------*---------*------------*---------------*
Figure 7 Packet example.
3. SmarTap Deployment Options
Nachum, et al. Expires July 23, 2014 [Page 12]
�
Internet-Draft SmarTap January 2014
*-------------------*
| |
+-------| Interconnect |-------+
| | | |
| *-------------------* |
| |
*-----------------* *----------------*
| Edge Device | | Edge Device |
*-----------------* *----------------*
| |
*-----------------* *********
| Core | *SmarTap*
*-----------------* *********
| | |
*-------* *----------* *----------------*
| Agg | | Network | | Core |
*-------* | Analysis | *----------------*
| | Tool | | |
*----------* *----------* | *********
|Hypervisor| | *SmarTap*
*----------* | *********
| | |
********* *-------* *-------*
*SmarTap* * Host * * Host *
********* *-------* *-------*
|
*--------*
|Virtual |
|Machine |
*--------*
Figure 8 SmarTap deployment example.
SmarTap deployment is tightly connected to the network analysis
tool and its visibility requirements. SmarTap is applied on each
link that needs to be tapped whether it is a physical link or
virtual switch on a hypervisor. Each SmarTap is configured with
information such as which data to Tap, what is the required format
of the packets and its metadata and the target tools.
3.1. SmarTap with Network Analysis Tools
Network analysis tools are connected to all SmarTaps that are
relevant to their application. The SmarTaps are either connected
directly to the tools or by using tunnels. Each tool gets its
Nachum, et al. Expires July 23, 2014 [Page 13]
�
Internet-Draft SmarTap January 2014
required information in a central location and creates a
networking picture.
SmarTap architecture can offload the tools by distributing the
traffic classification and counting to the SmarTaps. In this
option tools only get the digested data such as standard
statistics with the relevant packets.
Offline tools have also full visibility to all the relevant data
they need: the exact location, time and relevant statistics. In
this scenario all information received from the SmarTaps is
captured, stored and mapped to its exact time and location.
3.2. SmarTap with Layer-3 Networks
SmarTaps that are used at layer-3 networks are still functioning
as TAPs with additional functionality. The tapping location of the
received packet, its transmitter and sender location can still be
deduced from the MAC and IP addresses of the tapped packet. All
SmarTap advantages are also valid for layer-3 networks. SmarTap
provides tapped packets with their Metadata, for example:
location, tapping time and related statistics. With SmarTap
architecture packet tapping location can be derived directly from
the metadata which is simple and more accurate.
4. Security Considerations
To be updated in a future version of this draft.
5. IANA Considerations
There are no IANA actions required by this document.
RFC Editor: please delete this section before publication.
6. References
6.1. Informative References
[AA-NPM] Application Aware Network Performance Monitoring
7. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
Nachum, et al. Expires July 23, 2014 [Page 14]
�
Internet-Draft SmarTap January 2014
Author's addresses
Youval Nachum
Net Optics, an Ixia Company, IL, LLC
13 Amal Street, Building A
Rosh Ha'Ayin, 48091 Israel
Email: youval@netoiptics.com
Linda Dunbar
Huawei Technologies
5430 Legacy Drive, Suite #175
Plano, TX 75024, USA
Phone: (469) 277 5840
Email: ldunbar@huawei.com
Tal Mizrahi
Marvell
6 Hamada St.
Yokneam, 20692 Israel
Email: talmi@marvell.com
Nachum, et al. Expires July 23, 2014 [Page 15]
�
